CVE-2014-5406

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port.  NOTE: this issue might overlap CVE-2015-3459.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:C/I:C/A:C
icscertCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
hospiralifecare_pcainfusion_firmware
𝑥
≤ 5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/